As reported in Federal Computer Week, Cartwright said: "History teaches us that a purely defensive posture poses significant risks," and that if "we apply the principle of warfare to the cyberdomain, as we do to sea, air and land, we realize the defense of the nation is better served by capabilities enabling us to take the fight to our adversaries, when necessary, to deter actions detrimental to our interests..."
Of course, the general is correct. But his reasoning illustrates perfectly why peacetime and wartime are different, and why generals don't make good police chiefs.
A cyber-security policy that condones both active deterrence and retaliation -- without any judicial determination of wrongdoing -- is attractive, but it's wrongheaded, not least because it ignores the line between war, where those involved are permitted to determine when counterattack is required, and crime, where only impartial third parties (judges and juries) can impose punishment.
In warfare, the notion of counterattack is extremely powerful. Going after the enemy -- its positions, its supply lines, its factories, its infrastructure -- is an age-old military tactic. But in peacetime, we call it revenge, and consider it dangerous. Anyone accused of a crime deserves a fair trial. The accused has the right to defend himself, to face his accuser, to an attorney, and to be presumed innocent until proven guilty...
I'm glad General Cartwright thinks about offensive cyberwar; it's how generals are supposed to think. I even agree with Richard Clarke's threat of military-style reaction in the event of a cyber-attack by a foreign country or a terrorist organization. But short of an act of war, we're far safer with a legal system that respects our rights. (emphasis added)
I think Bruce is wrong on two counts. The first requires you to decide if you think the United States is currently engaged in "cyberwar." I think we are close enough to cyberwar to authorize deterrence and offensive activities. The FCW article Bruce cites also said the following:
The Stratcom commander told the committee that the United States is under widespread, daily attacks in cyberspace. He added that the country lacks dominance in the cyberdomain and that it could become “increasingly vulnerable if we do not fundamentally change how we view this battle space.” (emphasis added)
The term I highlighted is important and it may not be significant to those without .mil experience. Dominance of the battlespace is a tenet of American warfare. It's the reason we are very good at obliterating enemies (and probably less good at rebuilding them). (Note: please spare me any political responses here. I am not trying to make a political statement. I am speaking based on wearing a uniform for 11 years and the doctrine and training associated with that experience.)
For example, various states of control describe how the Air Force views warfare in the aerospace domain:
- Air parity: control of the skies only above friendly troop positions
- Air superiority: control whereby friendly forces can act without prohibitive interference by the opposing force
- Air supremacy: a degree of air superiority wherein the opposing air force is incapable of effective interference
Based solely on open source threat reports (open source meaning in the press and unclassified, not OSI licensed!), the Air Force (and the entire .mil/.gov) doesn't even have "air parity." This means we are losing the battle in a domain that the Air Force, military, and national security apparatus considers crucial. The Air Force and DoD are acting because we do not even have control of our own "airspace." I'm looking forward to seeing what the Air Force Cyberspace Command does later this year when activated.
The second reason Bruce is wrong involves his excessively pacifist attitude. He says "going after the enemy... in peacetime [is] revenge." This is not true. Police forces routinely run sting operations, raid suspected crystal meth labs, and take plenty of other offensive activities to remove threats before they continue to perpetrate their crimes. Police also patrol the streets, projecting force and control and deterring crimes.
While I agree that the military is not a police force, the military is currently the only force with the ability to take the fight to the enemy. Police forces are barely able to address a limited number of defensive investigations. They have zero capability to run anything other than "to catch a predator"-type sting operations.
The bottom line is we losing the battle in cyberspace and something has to change. We cannot code, block, or patch our way out of this situation.